CVE-2012-4404
First published: Mon Sep 10 2012(Updated: )
`security/__init__.py` in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/moin | >=1.9<1.9.5 | 1.9.5 |
| MoinMoin | =1.9.0 | |
| MoinMoin | =1.9.1 | |
| MoinMoin | =1.9.2 | |
| MoinMoin | =1.9.3 | |
| MoinMoin | =1.9.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16
- http://moinmo.in/SecurityFixes
- http://secunia.com/advisories/50474
- http://secunia.com/advisories/50496
- http://secunia.com/advisories/50885
- http://www.debian.org/security/2012/dsa-2538
- http://www.openwall.com/lists/oss-security/2012/09/04/4
- http://www.openwall.com/lists/oss-security/2012/09/05/2
- http://www.ubuntu.com/usn/USN-1604-1
- https://nvd.nist.gov/vuln/detail/CVE-2012-4404
- https://github.com/moinwiki/moin/commit/b7791166cb3613d07c6e8eea966b4f763b2de660
- https://web.archive.org/web/20151016233452/http://secunia.com/advisories/50885
- https://web.archive.org/web/20151017041746/http://secunia.com/advisories/50474
- https://web.archive.org/web/20151017041755/http://secunia.com/advisories/50496
- https://github.com/advisories/GHSA-g4mx-rm5q-vh24 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2012-10.yaml
Frequently Asked Questions
What is the severity of CVE-2012-4404?
CVE-2012-4404 is classified as a medium severity vulnerability, which can allow unauthorized access to groups.
How do I fix CVE-2012-4404?
To fix CVE-2012-4404, upgrade to MoinMoin version 1.9.5 or later.
Who is affected by CVE-2012-4404?
CVE-2012-4404 affects MoinMoin versions 1.9.0 to 1.9.4, allowing remote authenticated users to gain improper group access.
What types of group names are involved in CVE-2012-4404?
The vulnerability involves group names that include virtual group names such as "All," "Known," and "Trusted."
Is authentication required to exploit CVE-2012-4404?
Yes, CVE-2012-4404 requires remote authenticated users to exploit the vulnerability.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/weakness
- agent/description
- agent/event
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g4mx-rm5q-vh24
- alias/CVE-2012-4404
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/severity
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/moinmo
- canonical/moinmoin
- version/moinmoin/1.9.0
- version/moinmoin/1.9.1
- version/moinmoin/1.9.2
- version/moinmoin/1.9.3
- version/moinmoin/1.9.4